<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.3.0">

  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next-haha.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next-haha.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next-haha.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/7.0.0/css/all.min.css" integrity="sha256-VHqXKFhhMxcpubYf9xiWdCiojEbY9NexQ4jh8AxbvcM=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">

<script class="next-config" data-name="main" type="application/json">{"hostname":"ming.theyan.gs","root":"/","images":"/images","scheme":"Pisces","darkmode":false,"version":"8.25.0","exturl":false,"sidebar":{"position":"left","width_expanded":320,"width_dual_column":240,"display":"post","padding":18,"offset":12},"hljswrap":true,"codeblock":{"theme":{"light":"default","dark":"stackoverflow-dark"},"prism":{"light":"prism","dark":"prism-dark"},"copy_button":{"enable":false,"style":null},"fold":{"enable":false,"height":500},"language":false},"bookmark":{"enable":true,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"duration":200,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"},"path":"/search.xml","localsearch":{"enable":true,"top_n_per_article":1,"unescape":false,"preload":false,"trigger":"auto"}}</script><script src="/js/config.js" defer></script>

    <meta name="description" content="概述这篇文档其实主要讲的是行内关于“打洞”的事情。 什么叫“打洞”通过在两个私网之间打一条隧道（tunnel）而把他们连接起来的方法，行内俗称“打洞”，其实专业的说法应该是“搭建隧道”，在两个能路由的两个单独的私有网络之间搭建一条隧道（tunnel）以便于两个私网之间能够直接互通。">
<meta property="og:type" content="article">
<meta property="og:title" content="Linux下用GRE隧道直接联通两个私网">
<meta property="og:url" content="https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/index.html">
<meta property="og:site_name" content="运维烂笔头">
<meta property="og:description" content="概述这篇文档其实主要讲的是行内关于“打洞”的事情。 什么叫“打洞”通过在两个私网之间打一条隧道（tunnel）而把他们连接起来的方法，行内俗称“打洞”，其实专业的说法应该是“搭建隧道”，在两个能路由的两个单独的私有网络之间搭建一条隧道（tunnel）以便于两个私网之间能够直接互通。">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/index/scene1.png">
<meta property="og:image" content="https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/index/scene2.png">
<meta property="og:image" content="https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/index/scene3.png">
<meta property="article:published_time" content="2016-08-30T06:32:47.000Z">
<meta property="article:modified_time" content="2019-04-04T23:47:07.006Z">
<meta property="article:author" content="老杨">
<meta property="article:tag" content="GRE">
<meta property="article:tag" content="tunnel">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/index/scene1.png">


<link rel="canonical" href="https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/">


<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"zh-CN","comments":true,"permalink":"https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/index.html","path":"2016/08/Linux下用GRE隧道直接联通两个私网/index.html","title":"Linux下用GRE隧道直接联通两个私网"}</script>

<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>Linux下用GRE隧道直接联通两个私网 | 运维烂笔头</title>
  
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-106574959-2"></script>
  <script class="next-config" data-name="google_analytics" type="application/json">{"tracking_id":"UA-106574959-2","only_pageview":false,"measure_protocol_api_secret":null}</script>
  <script src="/js/third-party/analytics/google-analytics.js" defer></script>

  <script src="/js/third-party/analytics/baidu-analytics.js" defer></script>
  <script async src="https://hm.baidu.com/hm.js?fdef9ded31bdb8b2dab08eddebdd5fed"></script>







  
  <script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous" defer></script>
<script src="/js/utils.js" defer></script><script src="/js/motion.js" defer></script><script src="/js/sidebar.js" defer></script><script src="/js/next-boot.js" defer></script><script src="/js/bookmark.js" defer></script>

  <script src="https://cdnjs.cloudflare.com/ajax/libs/hexo-generator-searchdb/1.5.0/search.js" integrity="sha256-xFC6PJ82SL9b3WkGjFavNiA9gm5z6UBxWPiu4CYjptg=" crossorigin="anonymous" defer></script>
<script src="/js/third-party/search/local-search.js" defer></script>







  




<!-- google adsense -->
<script data-ad-client="ca-pub-1045025618858716" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

  <noscript>
    <link rel="stylesheet" href="/css/noscript.css">
  </noscript>
<link rel="alternate" href="/atom.xml" title="运维烂笔头" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <div class="column">
      <header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <p class="site-title">运维烂笔头</p>
      <i class="logo-line"></i>
    </a>
      <p class="site-subtitle" itemprop="description">一个 SA 老兵的工作日志</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger" aria-label="搜索" role="button">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu"><li class="menu-item menu-item-projects"><a href="/projects" rel="section"><i class="fa fa-code fa-fw"></i>projects</a></li><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a></li><li class="menu-item menu-item-about"><a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li><li class="menu-item menu-item-sitemap"><a href="/sitemap.xml" rel="section"><i class="fa fa-sitemap fa-fw"></i>站点地图</a></li><li class="menu-item menu-item-commonweal"><a href="/404/" rel="section"><i class="fa fa-heartbeat fa-fw"></i>公益 404</a></li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
      <div class="search-header">
        <span class="search-icon">
          <i class="fa fa-search"></i>
        </span>
        <div class="search-input-container">
          <input autocomplete="off" autocapitalize="off" maxlength="80"
                placeholder="搜索..." spellcheck="false"
                type="search" class="search-input">
        </div>
        <span class="popup-btn-close" role="button">
          <i class="fa fa-times-circle"></i>
        </span>
      </div>
      <div class="search-result-container">
        <div class="search-result-icon">
          <i class="fa fa-spinner fa-pulse fa-5x"></i>
        </div>
      </div>
    </div>
  </div>

</header>
        
  
  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#%E6%A6%82%E8%BF%B0"><span class="nav-number">1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E4%BB%80%E4%B9%88%E5%8F%AB%E2%80%9C%E6%89%93%E6%B4%9E%E2%80%9D"><span class="nav-number">2.</span> <span class="nav-text">什么叫“打洞”</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E4%B8%BA%E4%BB%80%E4%B9%88%E8%A6%81%E2%80%9C%E6%89%93%E6%B4%9E%E2%80%9D"><span class="nav-number">3.</span> <span class="nav-text">为什么要“打洞”</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%88%9A%E9%9C%80"><span class="nav-number">3.1.</span> <span class="nav-text">刚需</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%B8%AD%E5%B0%8F%E4%BC%81%E4%B8%9A%E5%9C%BA%E6%99%AF"><span class="nav-number">3.2.</span> <span class="nav-text">中小企业场景</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E6%80%8E%E6%A0%B7%E2%80%9C%E6%89%93%E6%B4%9E%E2%80%9D"><span class="nav-number">4.</span> <span class="nav-text">怎样“打洞”</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%9C%BA%E6%99%AF%E4%B8%80"><span class="nav-number">4.1.</span> <span class="nav-text">场景一</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%9C%BA%E6%99%AF%E4%BA%8C"><span class="nav-number">4.2.</span> <span class="nav-text">场景二</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%9C%BA%E6%99%AF%E4%B8%89"><span class="nav-number">4.3.</span> <span class="nav-text">场景三</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E8%B0%83%E6%95%B4MTU"><span class="nav-number">5.</span> <span class="nav-text">调整MTU</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E4%BC%98%E7%82%B9"><span class="nav-number">6.</span> <span class="nav-text">优点</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%81%BF%E5%85%8D%E5%BC%95%E5%85%A5%E4%BA%92%E8%81%94IP"><span class="nav-number">6.1.</span> <span class="nav-text">避免引入互联IP</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E7%BB%B4%E6%8A%A4%E6%96%B9%E4%BE%BF"><span class="nav-number">6.2.</span> <span class="nav-text">配置文件维护方便</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%85%B6%E4%BB%96"><span class="nav-number">7.</span> <span class="nav-text">其他</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%90%AF%E5%81%9C%E5%91%BD%E4%BB%A4"><span class="nav-number">7.1.</span> <span class="nav-text">启停命令</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%9D%99%E6%80%81%E8%B7%AF%E7%94%B1"><span class="nav-number">7.2.</span> <span class="nav-text">静态路由</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%AD%98%E5%9C%A8%E9%97%AE%E9%A2%98"><span class="nav-number">8.</span> <span class="nav-text">存在问题</span></a></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">老杨</p>
  <div class="site-description" itemprop="description">好记性比不过烂笔头</div>
</div>
<div class="site-state-wrap animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
        <a href="/archives/">
          <span class="site-state-item-count">114</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
          <a href="/categories/">
        <span class="site-state-item-count">8</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
          <a href="/tags/">
        <span class="site-state-item-count">509</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author animated">
      <span class="links-of-author-item">
        <a href="https://github.com/haw-haw" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;haw-haw" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:blog@theyan.gs" title="E-Mail → mailto:blog@theyan.gs" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://weibo.com/u/1494877243" title="Weibo → https:&#x2F;&#x2F;weibo.com&#x2F;u&#x2F;1494877243" rel="noopener me" target="_blank"><i class="fab fa-weibo fa-fw"></i>Weibo</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://twitter.com/6fool" title="Twitter → https:&#x2F;&#x2F;twitter.com&#x2F;6fool" rel="noopener me" target="_blank"><i class="fab fa-twitter fa-fw"></i>Twitter</a>
      </span>
  </div>

        </div>
      </div>
    </div>

    
    <div class="sidebar-inner sidebar-blogroll">
      <div class="links-of-blogroll animated">
        <div class="links-of-blogroll-title"><i class="fa fa-globe fa-fw"></i>
          链接
        </div>
        <ul class="links-of-blogroll-list">
            <li class="links-of-blogroll-item">
              <a href="https://bad-pencil.github.io/" title="https:&#x2F;&#x2F;bad-pencil.github.io" rel="noopener" target="_blank">github 镜像站</a>
            </li>
            <li class="links-of-blogroll-item">
              <a href="https://hawhaw.gitee.io/" title="https:&#x2F;&#x2F;hawhaw.gitee.io" rel="noopener" target="_blank">gitee 镜像站</a>
            </li>
        </ul>
      </div>
    </div>
  </aside>


    </div>

    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ming.theyan.gs/2016/08/Linux%E4%B8%8B%E7%94%A8GRE%E9%9A%A7%E9%81%93%E7%9B%B4%E6%8E%A5%E8%81%94%E9%80%9A%E4%B8%A4%E4%B8%AA%E7%A7%81%E7%BD%91/index.html">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="老杨">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="运维烂笔头">
      <meta itemprop="description" content="好记性比不过烂笔头">
    </span>

    <span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
      <meta itemprop="name" content="Linux下用GRE隧道直接联通两个私网 | 运维烂笔头">
      <meta itemprop="description" content="">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Linux下用GRE隧道直接联通两个私网
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>

      <time title="创建时间：2016-08-30 14:32:47" itemprop="dateCreated datePublished" datetime="2016-08-30T14:32:47+08:00">2016-08-30</time>
    </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar-check"></i>
      </span>
      <span class="post-meta-item-text">更新于</span>
      <time title="修改时间：2019-04-05 07:47:07" itemprop="dateModified" datetime="2019-04-05T07:47:07+08:00">2019-04-05</time>
    </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody"><h1 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h1><p>这篇文档其实主要讲的是行内关于“打洞”的事情。</p>
<h1 id="什么叫“打洞”"><a href="#什么叫“打洞”" class="headerlink" title="什么叫“打洞”"></a>什么叫“打洞”</h1><p>通过在两个私网之间打一条隧道（tunnel）而把他们连接起来的方法，行内俗称“<strong>打洞</strong>”，其实专业的说法应该是“搭建隧道”，在两个能路由的两个单独的私有网络之间搭建一条隧道（tunnel）以便于两个私网之间能够直接互通。<br><a id="more"></a></p>
<h1 id="为什么要“打洞”"><a href="#为什么要“打洞”" class="headerlink" title="为什么要“打洞”"></a>为什么要“打洞”</h1><h2 id="刚需"><a href="#刚需" class="headerlink" title="刚需"></a>刚需</h2><p>这个恐怕对于大多数互联网企业来讲，都是绕不开的需求。互联网公司大多有好些单独的私网，比如，每个单独的办公环境都有单独的私网吧，还有托管机房是不是也有单独的私网？如果用了公有云的话，那么每个公有云是不是也有单独的私网？而“打洞”就是为了把这些网络无缝的连接起来，组成一张大的“内网”。显而易见有几个好处：</p>
<ul>
<li>办公网的每一个用户可以自动漫游，无需修改配置而访问办公网的每一个节点</li>
<li>办公、管理都走私网，貌似更显得专业、安全一些</li>
</ul>
<h2 id="中小企业场景"><a href="#中小企业场景" class="headerlink" title="中小企业场景"></a>中小企业场景</h2><p>我们这里主要讲中小企业常用的Linux+GRE+tunnel方案，为什么不提大型企业呢？因为大公司大多直接采购专业的网络设备来做类似的工作了，更有甚者，直接租用点对点专线来直连各个私网，所以高富帅的生活我等屌丝不懂，也就不在这里讨论了。</p>
<h1 id="怎样“打洞”"><a href="#怎样“打洞”" class="headerlink" title="怎样“打洞”"></a>怎样“打洞”</h1><p>下面就以在CentOS6.x(CentOS7.x其实是一样的)下为例来讲下怎样打洞（GRE tunnel），其他Linux发行版下的情况可以同理推之。</p>
<h2 id="场景一"><a href="#场景一" class="headerlink" title="场景一"></a>场景一</h2><p>如下图所示：两个私网的网关都分别直接有公网地址。这个场景应该是最普遍的场景。</p>
<img src="/2016/08/Linux下用GRE隧道直接联通两个私网/index/scene1.png" title="[场景一图片]">
<p>注意：上图由如下graphviz代码生成。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">&lt;graphviz dot&gt;</span><br><span class="line">digraph G &#123;</span><br><span class="line">  rankdir=&quot;LR&quot;;</span><br><span class="line">  GA [shape=box, label=&quot;GW_A&quot;];</span><br><span class="line">  NetA [label=&quot;NetA\n10.0.0.0/24&quot;];</span><br><span class="line">  GA -&gt; NetA [dir=none, taillabel=&quot;.1&quot;];</span><br><span class="line">  GA -&gt; Internet [dir=none, taillabel=&quot;1.1.1.1&quot;];</span><br><span class="line">  Internet [label=&quot;internet&quot;];</span><br><span class="line">  Internet -&gt; GB [dir=none, headlabel=&quot;2.2.2.2&quot;];</span><br><span class="line">  GB [shape=box, label=&quot;GW_B&quot;];</span><br><span class="line">  GB -&gt; NetB [dir=none, taillabel=&quot;.1&quot;];</span><br><span class="line">  NetB [label=&quot;NetB\n10.0.1.0/24&quot;];</span><br><span class="line">  GA -&gt; GB [dir=&quot;none&quot;, style=&quot;dotted&quot;, label=&quot;GRE tunnel&quot;, headlabel=&quot;gw&quot;, taillabel=&quot;gw&quot;, constraint=false];</span><br><span class="line">  &#123;rank=same GA NetA&#125;</span><br><span class="line">  &#123;rank=same GB NetB&#125;</span><br><span class="line">&#125;</span><br><span class="line">&lt;/graphviz&gt;</span><br></pre></td></tr></table></figure></p>
<p>这个配置是最好写了，在GW_A上写配置文件<em>/etc/sysconfig/network-scripts/ifcfg-gw</em></p>
<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">DEVICE</span>=gw</span><br><span class="line"><span class="attr">ONBOOT</span>=<span class="literal">yes</span></span><br><span class="line"><span class="attr">TYPE</span>=GRE</span><br><span class="line"><span class="attr">PEER_OUTER_IPADDR</span>=<span class="number">2.2</span>.<span class="number">2.2</span></span><br><span class="line"><span class="attr">PEER_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">1.0</span>/<span class="number">24</span></span><br><span class="line"><span class="attr">MY_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">0.1</span></span><br><span class="line"><span class="attr">KEY</span>=haw-haw.org</span><br><span class="line"><span class="attr">BOOTPROTO</span>=none</span><br></pre></td></tr></table></figure>
<p>同样的，在GW_B上写配置文件<em>/etc/sysconfig/network-scripts/ifcfg-gw</em></p>
<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">DEVICE</span>=gw</span><br><span class="line"><span class="attr">ONBOOT</span>=<span class="literal">yes</span></span><br><span class="line"><span class="attr">TYPE</span>=GRE</span><br><span class="line"><span class="attr">PEER_OUTER_IPADDR</span>=<span class="number">1.1</span>.<span class="number">1.1</span></span><br><span class="line"><span class="attr">PEER_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">0.0</span>/<span class="number">24</span></span><br><span class="line"><span class="attr">MY_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">1.1</span></span><br><span class="line"><span class="attr">KEY</span>=haw-haw.org</span><br><span class="line"><span class="attr">BOOTPROTO</span>=none</span><br></pre></td></tr></table></figure>
<p>最后，分别在GW_A和GW_B上分别激活网络设备gw即可，具体命令是：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifup gw;</span><br></pre></td></tr></table></figure>
<h2 id="场景二"><a href="#场景二" class="headerlink" title="场景二"></a>场景二</h2><p>如下图所示：只有一个私网的网关（GW_B）直接有公网地址，另外一个(GW_A)没有直接接公网，但是它在Firewall A设备上有个一对一的NAT(ip是1.1.1.1)，这个情况就稍稍复杂一些。</p>
<img src="/2016/08/Linux下用GRE隧道直接联通两个私网/index/scene2.png" title="[场景二图片]">
<p>注意：上图由如下graphviz代码生成。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">&lt;graphviz dot&gt;</span><br><span class="line">digraph G &#123;</span><br><span class="line">  newrank=true;</span><br><span class="line">  rankdir=LR;</span><br><span class="line">  compound=true;</span><br><span class="line">  FWA [shape=box, label=&quot;Firewall A&quot;];</span><br><span class="line">  subgraph cluster_NetA &#123;</span><br><span class="line">    rankdir=LR;</span><br><span class="line">    graph [style=&quot;dotted&quot;];</span><br><span class="line">    label=&quot;NetA\n10.0.0.0/24&quot;;</span><br><span class="line">    GA [shape=box, label=&quot;GW_A\n.1&quot;];</span><br><span class="line">  &#125;</span><br><span class="line">  Internet [label=&quot;internet&quot;];</span><br><span class="line">  GB [shape=box, label=&quot;GW_B&quot;];</span><br><span class="line">  NetB [label=&quot;NetB\n10.0.1.0/24&quot;];</span><br><span class="line">  FWA -&gt; GA [dir=&quot;none&quot;, lhead=&quot;cluster_NetA&quot;, minlen=2];</span><br><span class="line">  FWA -&gt; Internet [dir=none, taillabel=&quot;1.1.1.1&quot;, minlen=2, labeldistance=2];</span><br><span class="line">  GA -&gt; Internet [dir=none, style=&quot;dashed&quot;, taillabel=&quot;1.1.1.1(NAT)&quot;, constraint=false, labeldistance=3];</span><br><span class="line">  Internet -&gt; GB [dir=none, headlabel=&quot;2.2.2.2&quot;, minlen=1.5, labeldistance=2];</span><br><span class="line">  GB -&gt; NetB [dir=none, taillabel=&quot;.1&quot;];</span><br><span class="line">  GA -&gt; GB [dir=&quot;none&quot;, style=&quot;dotted&quot;, label=&quot;GRE tunnel&quot;, headlabel=&quot;gw&quot;, taillabel=&quot;gw&quot;, constraint=false, labeldistance=1];</span><br><span class="line">  &#123;rank=same GB NetB&#125;</span><br><span class="line">  &#123;rank=same FWA GA&#125;</span><br><span class="line">&#125;</span><br><span class="line">&lt;/graphviz&gt;</span><br></pre></td></tr></table></figure></p>
<p>在GW_A上写配置文件<em>/etc/sysconfig/network-scripts/ifcfg-gw</em></p>
<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">DEVICE</span>=gw</span><br><span class="line"><span class="attr">ONBOOT</span>=<span class="literal">yes</span></span><br><span class="line"><span class="attr">TYPE</span>=GRE</span><br><span class="line"><span class="attr">PEER_OUTER_IPADDR</span>=<span class="number">2.2</span>.<span class="number">2.2</span></span><br><span class="line"><span class="attr">PEER_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">1.0</span>/<span class="number">24</span></span><br><span class="line"><span class="attr">MY_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">0.1</span></span><br><span class="line"><span class="attr">KEY</span>=haw-haw.org</span><br><span class="line"><span class="attr">BOOTPROTO</span>=none</span><br></pre></td></tr></table></figure>
<p>同样的，在GW_B上写配置文件<em>/etc/sysconfig/network-scripts/ifcfg-gw</em></p>
<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">DEVICE</span>=gw</span><br><span class="line"><span class="attr">ONBOOT</span>=<span class="literal">yes</span></span><br><span class="line"><span class="attr">TYPE</span>=GRE</span><br><span class="line"><span class="attr">PEER_OUTER_IPADDR</span>=<span class="number">1.1</span>.<span class="number">1.1</span></span><br><span class="line"><span class="attr">PEER_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">0.0</span>/<span class="number">24</span></span><br><span class="line"><span class="attr">MY_INNER_IPADDR</span>=<span class="number">10.0</span>.<span class="number">1.1</span></span><br><span class="line"><span class="attr">KEY</span>=haw-haw.org</span><br><span class="line"><span class="attr">BOOTPROTO</span>=none</span><br></pre></td></tr></table></figure>
<p>最后，分别在GW_A和GW_B上分别激活网络设备gw即可，具体命令是：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifup gw;</span><br></pre></td></tr></table></figure>
<p>细心的人会发现，这两种场景下配置文件是一样的！对，就是一样的。:)</p>
<h2 id="场景三"><a href="#场景三" class="headerlink" title="场景三"></a>场景三</h2><p>如下图所示：两个私网的网关（GW_A和GW_B）都没有公网地址，都是通过防火墙设备(Firewall A和Firewall B)上分别做的一对一的NAT(ip分别是1.1.1.1和2.2.2.2)。</p>
<img src="/2016/08/Linux下用GRE隧道直接联通两个私网/index/scene3.png" title="[场景三图片]">
<p>注意：上图由如下graphviz代码生成。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">&lt;graphviz dot&gt;</span><br><span class="line">digraph G &#123;</span><br><span class="line">  newrank=true;</span><br><span class="line">  rankdir=LR;</span><br><span class="line">  compound=true;</span><br><span class="line">  FWA [shape=box, label=&quot;Firewall A&quot;];</span><br><span class="line">  subgraph cluster_NetA &#123;</span><br><span class="line">    rankdir=LR;</span><br><span class="line">    graph [style=&quot;dotted&quot;];</span><br><span class="line">    label=&quot;NetA\n10.0.0.0/24&quot;;</span><br><span class="line">    GA [shape=box, label=&quot;GW_A\n.1&quot;];</span><br><span class="line">  &#125;</span><br><span class="line">  Internet [label=&quot;internet&quot;];</span><br><span class="line">  FWB [shape=box, label=&quot;Firewall B&quot;];</span><br><span class="line">  subgraph cluster_NetB &#123;</span><br><span class="line">    rankdir=LR;</span><br><span class="line">    graph [style=&quot;dotted&quot;];</span><br><span class="line">    label=&quot;NetB\n10.0.1.0/24&quot;;</span><br><span class="line">    GB [shape=box, label=&quot;GW_B\n.1&quot;];</span><br><span class="line">  &#125;</span><br><span class="line">  FWA -&gt; Internet [dir=none, taillabel=&quot;1.1.1.1&quot;, minlen=2, labeldistance=2];</span><br><span class="line">  Internet -&gt; FWB [dir=&quot;none&quot;, headlabel=&quot;2.2.2.2&quot;, minlen=2, labeldistance=2];</span><br><span class="line">  FWA -&gt; GA [dir=&quot;none&quot;, lhead=&quot;cluster_NetA&quot;, minlen=2];</span><br><span class="line">  FWB -&gt; GB [dir=&quot;none&quot;, lhead=&quot;cluster_NetB&quot;, minlen=2];</span><br><span class="line">  GA -&gt; Internet [dir=none, style=&quot;dashed&quot;, taillabel=&quot;1.1.1.1(NAT)&quot;, constraint=false, labeldistance=3];</span><br><span class="line">  Internet -&gt; GB [dir=none, style=&quot;dashed&quot;, headlabel=&quot;2.2.2.2(NAT)&quot;, minlen=1.5, labeldistance=2];</span><br><span class="line">  GA -&gt; GB [dir=&quot;none&quot;, style=&quot;dotted&quot;, label=&quot;GRE tunnel&quot;, headlabel=&quot;gw&quot;, taillabel=&quot;gw&quot;, constraint=false, labeldistance=1];</span><br><span class="line">  &#123;rank=same FWB GB&#125;</span><br><span class="line">  &#123;rank=same FWA GA&#125;</span><br><span class="line">&#125;</span><br><span class="line">&lt;/graphviz&gt;</span><br></pre></td></tr></table></figure></p>
<p>GW_A和GW_B上的配置，跟前两种场景是一样的。</p>
<h1 id="调整MTU"><a href="#调整MTU" class="headerlink" title="调整MTU"></a>调整MTU</h1><p>这点很重要！不做这个的话你的网络也许会出各种各样的神奇问题！：）</p>
<p>方法很简单，在GW_A和GW_B的机器上分别执行</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">iptables -t mangle \</span><br><span class="line">    -A FORWARD \</span><br><span class="line">    -p tcp \</span><br><span class="line">    -m tcp \</span><br><span class="line">    --tcp-flags SYN,RST SYN \</span><br><span class="line">    -j TCPMSS \</span><br><span class="line">    --clamp-mss-to-pmtu;</span><br></pre></td></tr></table></figure>
<h1 id="优点"><a href="#优点" class="headerlink" title="优点"></a>优点</h1><p>这样配置的好处是显而易见的：</p>
<h2 id="避免引入互联IP"><a href="#避免引入互联IP" class="headerlink" title="避免引入互联IP"></a>避免引入互联IP</h2><p>行内其他的方案其实也差不多，唯一比较大的区别是其他方案一般都会在GW_A和GW_B的隧道虚接口gw上配上互联IP地址来用于互通，然后把对端的私有网络地址段的路由指向对端隧道虚接口gw的互联IP。这样做其实也能实现功能，但是有几个问题：</p>
<ul>
<li>网关机器GW_A和GW_B跟对端私网的非网关的其他机器的私网通讯可能会有问题，需要其他机器上到互联ip所在网段的路由正好指向本网段的网关地址</li>
<li>简单看是仅多一对互联IP，但其实是整多一个互联网段！这对于ip地址及网络的维护带来的工作量不能低估</li>
</ul>
<h2 id="配置文件维护方便"><a href="#配置文件维护方便" class="headerlink" title="配置文件维护方便"></a>配置文件维护方便</h2><ul>
<li>保证重启服务器、重启网络甚至于重启网络设备都会正确读取配置</li>
<li>虚接口也可以单独启停，维护起来相当方便</li>
<li>维护模式相当清晰，改动起来非常方便</li>
</ul>
<h1 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h1><h2 id="启停命令"><a href="#启停命令" class="headerlink" title="启停命令"></a>启停命令</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">ifup gw;<span class="comment"># start</span></span><br><span class="line">ifdown gw;<span class="comment"># stop</span></span><br></pre></td></tr></table></figure>
<p>需要注意的是：在以上三种场景中，都需要确认在NetA和NetB网络中机器上到10.0.1.0/24和10.0.0.0/24的路由分别指向了GW_A和GW_B(可以分别在default gw上做)</p>
<h2 id="静态路由"><a href="#静态路由" class="headerlink" title="静态路由"></a>静态路由</h2><p>在某些具体的场景下，比如NetA后面还接的有NetC，IP地址段是172.16.1.0/24，那么为了让NetB和NetC能私网互通，则必须要在NetB的网关GW_B上将NetC的地址172.16.1.0/24指向NetA的网关地址GW_A才行，这种情况下只需要在GW_B上编辑配置文件<em>/etc/sysconfig/network-scripts/route-gw</em>，其内容如下：</p>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">172.16.1.0/24 dev gw src 10.0.1.1</span><br></pre></td></tr></table></figure>
<p>这样设置的静态路由会在<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifup gw;</span><br></pre></td></tr></table></figure></p>
<p>时自动被启用，<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifdown gw;</span><br></pre></td></tr></table></figure></p>
<p>时自动删除，能不能不要这么方便、人性化！</p>
<h1 id="存在问题"><a href="#存在问题" class="headerlink" title="存在问题"></a>存在问题</h1><p>本文话题到此就结束了，但是安全意识强的同学就会马上意识到：这种方式把几个不同的网络连成了一个大三层的网络，的确是很方便，但是网络之间的通讯没有被加密，直接明文传输，是不是不太合适？好问题！所以，下一篇文章我们将讲一下怎样把网络之间的流量加密一下。请看，进阶阅读：<a href="/2016/08/CentOS6-x下用ipsec加密GRE隧道/">CentOS6.x下用ipsec加密GRE隧道</a>。</p>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="reward-container">
  <div>请我一杯咖啡吧！</div>
  <button>
    赞赏
  </button>
  <div class="post-reward">
      <div>
        <img src="/images/wechat-reward.png" alt="老杨 微信">
        <span>微信</span>
      </div>
      <div>
        <img src="/images/alipay-reward.png" alt="老杨 支付宝">
        <span>支付宝</span>
      </div>

  </div>
</div>

          <div class="followme">
  <span>欢迎关注我的其它发布渠道</span>

  <div class="social-list">

      <div class="social-item">
          <a target="_blank" class="social-link" href="https://twitter.com/6fool">
            <span class="icon">
              <i class="fab fa-twitter"></i>
            </span>

            <span class="label">Twitter</span>
          </a>
      </div>

      <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
      </div>
  </div>
</div>

          <div class="post-tags">
              <a href="/tags/GRE/" rel="tag"># GRE</a>
              <a href="/tags/tunnel/" rel="tag"># tunnel</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/2016/08/CentOS6-x%E4%B8%8B%E7%94%A8ipsec%E5%8A%A0%E5%AF%86GRE%E9%9A%A7%E9%81%93/index.html" rel="prev" title="CentOS6.x下用ipsec加密GRE隧道">
                  <i class="fa fa-angle-left"></i> CentOS6.x下用ipsec加密GRE隧道
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/2016/08/CentOS%E4%B8%8B%E6%80%8E%E6%A0%B7%E5%B9%B2%E6%8E%89IPv6/index.html" rel="next" title="CentOS下怎样干掉IPv6">
                  CentOS下怎样干掉IPv6 <i class="fa fa-angle-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>






</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">

  <div class="copyright">
    &copy; 
    <span itemprop="copyrightYear">2025</span>
    <span class="with-love">
      <i class="fa fa-heart"></i>
    </span>
    <span class="author" itemprop="copyrightHolder">老杨</span>
  </div>
  <div class="powered-by">由 <a href="https://hexo.io/" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/pisces/" rel="noopener" target="_blank">NexT.Pisces</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>
  <div class="sidebar-dimmer"></div>
  <div class="back-to-top" role="button" aria-label="返回顶部">
    <i class="fa fa-arrow-up fa-lg"></i>
    <span>0%</span>
  </div>
  <a role="button" class="book-mark-link book-mark-link-fixed"></a>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>

</body>
</html>
